assessing the information security culture in a …€¦ · to describe a situation where not only...
TRANSCRIPT
http://www.iaeme.com/IJCIET/index.asp 96 [email protected]
International Journal of Civil Engineering and Technology (IJCIET)
Volume 9, Issue 8, August 2018, pp. 96–112, Article ID: IJCIET_09_08_011
Available online at http://www.iaeme.com/ijciet/issues.asp?JType=IJCIET&VType=9&IType=8
ISSN Print: 0976-6308 and ISSN Online: 0976-6316
© IAEME Publication Scopus Indexed
ASSESSING THE INFORMATION SECURITY
CULTURE IN A GOVERNMENT CONTEXT:
THE CASE OF A DEVELOPING COUNTRY
Mohamad Noorman Masrek
Faculty of Information Management
Universiti Teknologi MARA
Shah Alam Selangor, Malaysia
Qamarul Nazrin Harun
Faculty of Information Management
Universiti Teknologi MARA
Shah Alam Selangor, Malaysia
Noor Zaidi Sahid
Faculty of Information Management
Universiti Teknologi MARA
Shah Alam Selangor, Malaysia
ABSTRACT
In the Industrial Revolution 4.0 (IR 4.0), information security has been highlighted
as one of the critical component that needs to be addressed by industry practitioners.
To this effect, the deployment of information security controls, both technical and non-
technical is very essential so as to safeguard and protect organizational information
from any form of threats or danger. Information Security Culture (ISC) is a term used
to describe a situation where not only members aware and skillful in terms of
information security, but the process and procedure as well as the technologies are
also in place to protect and safeguard organizational information. This paper reports
the findings of a study aimed at assessing the ISC of the Malaysian public
organizations. The study used a survey research methodology with a questionnaire as
the data collection technique. The results of the study suggest that ISC which are
measured in terms of management support, policy and procedures, compliance,
awareness, budget and technology are not in place in these participating
organizations. The findings send a strong message that much effort is needed to
strengthen the ISC in these participating organizations.
Key words: information security; information security culture; perceived importance,
perceived implementation; survey; questionnaire.
Assessing the Information Security Culture in a Government Context: The Case of a Developing Country
http://www.iaeme.com/IJCIET/index.asp 97 [email protected]
Cite this Article: Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi
Sahid, Assessing the Information Security Culture in a Government Context: The Case
of a Developing Country. International Journal of Civil Engineering and Technology,
9(8), 2018, pp. 96-112.
http://www.iaeme.com/IJCIET/issues.asp?JType=IJCIET&VType=9&IType=8
1. INTRODUCTION
The rise of data and information security breaches of late is really very alarming. In 2017,
Malaysia suffered the largest data breach whereby records of mobile phone numbers, names
and SIM card data of 46 million users had been stolen from Malaysian telecoms companies
(Tan & Nair, 2017). In addition, it was also reported that about 80000 medical record were
also stolen. In a recent study done by IBM Security and Ponemon Institute involving 11
countries and two regions, namely ASEAN (Singapore, Indonesia, the Philippines and
Malaysia) and Middle East (United Arab Emirates and Saudi Arabia) discovered that all
participating organizations experienced a data breach ranging from approximately 2,600 to
slightly less than 100,000 compromised records (Ponemon Institute 2017a). The average total
cost of data breach for the 419 participating companies was $3.62 million (Ponemon Institute
2017a). In another study, Ponemon Institute (2017b) surveyed 1000 information technology
(IT) professionals at small amd middle size companies and the results showed that 54% of
these respondents said that negligent employees were the root cause of data breaches.
According to Peltier, Peltier & Blackley (2005) “employees are most familiar with the
organization‟s information assets and processing systems, including knowing what actions
might cause the most damage, mischief, or sabotage”. Given the damage caused by data and
information breach is very hazardous to the well-being of the organization, the need to
intensify information security is inevitable.
Information security can be defined as “a well-informed sense of assurance that
information risks and controls are in balance” (Anderson, 2003). According to IT Governance
Institute (2001), the objective of information security is “protecting the interests of those
relying on information, and the systems and communications that deliver the information,
from harm resulting from failures of availability, confidentiality, and integrity”.
Confidentiality means “preserving authorized restrictions on information access and
disclosure, including means for protecting personal privacy and proprietary information”
(Nieles, Dempsey & Pillitteri, 2017). Integrity means guarding against improper information
modification or destruction and ensuring information non-repudiation and authenticity.
Availability means ensuring timely and reliable access to and use of information. Scholars
have argued that besides implementing technical information security controls, it is equally
important for an organization to develop an information security culture (ISC) (Eloff & Von
Solms, 2000; Von Solms, 2000). Information Security Culture (ISC) is a term used to
describe a situation where not only members aware and skilful in terms of information
security, but the process and procedure as well as the technologies are also in place to protect
and safeguard organizational information. According to Rastogi & von Solms (2012) ISC has
been found to have a profound influence on the compliance of end-users to information
security policies and controls in their organization.
Many studies suggest that implementing ISC inside organizations would help managing
and reducing security risks to information assets (AlHogail & Mirza, 2015). However, most
of these studies were done in countries other than Malaysia. Because of this, not much is
really known on the situation of ISC in the context of Malaysia, especially among government
agencies. To this effect, a study was carried out with the aims of (i) identifying the
Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid
http://www.iaeme.com/IJCIET/index.asp 98 [email protected]
components perceived as important for developing ISC in the context of Malaysian public
organization (ii) identifying the state of practice in relation to the components of ISC
perceived as important and (iii) identifying the gap between perceived importance and
perceived implementation in terms of the ISC components.
2. LITERATURE REVIEW AND CONCEPTUAL FRAMEWORK
ISC has its root from organizational culture. According to Brown (1998), organizational
culture refers “to the pattern of beliefs, values and learned ways of coping with experience
that have developed during the course of an organization‟s history, and which tend to be
manifested in its material arrangements and in the behaviours of its member”. Schein (1999)
asserted that beliefs and values, however, are concepts that are difficult to quantify, and it is
therefore often tempting to think of culture as just “the way we do things around here”.
Drawing upon the definitions of organizational culture, researchers defined ISC in a myriad
ways. For instance, Dhillon (2007) defined ISC as “the totality of human attributes such as
behaviors, attitudes, and values that contribute to the protection of all kinds of information in
a given organization.” On the other hand, AlHogail & Mirza (2015) defined ISC as “the
collection of perceptions, attitudes, values, assumptions and knowledge that guides how
things are done in organization in order to be consistent with the information security
requirements with the aim of protecting the information assets and influencing employees‟
security behavior in a way that preserving the information security becomes a second nature”.
However, Martins & Da Veiga (2015) opined that when developing ISC, people, process and
technology need to be combined together.
The published studies on ISC generated various models and frameworks that highlight the
importance and signifiance of ISC. In addition, a good number of studies also provided
guidelines for creating and assessing ISC (Tolah, Furnell & Papadaki, 2017). Schlienger &
Teufel (2003) for instance, identified security culture as consisting of three layers: (i)
corporate policies (policy, organisation structure, resources); (ii) management
(implementation of security policy, responsibility, qualification and training, awards and
prosecutions, audits, benchmarks); and (iii) individual (attitude, communication, compliance).
In another study, Da Veiga & Eloff (2010) showed that the following factors were integral in
developing ISC: (i) leadership and governance (sponsorship, strategy, IT governance, risk
assessment, ROI/metrics/measurement); (ii) security management and organisation (legal and
regulatory, program organisation); (iii) policy (policies, standard, procedure, guidelines, best
practice, certification); (iv) security program management (monitor, audit, compliance); (v)
user security management (awareness, training, trust, privacy, ethical conduct); (vi)
technology protection and operations (system development, technical operation, physical and
environment, asset management, incident management, business continuity); and (vii) change
management.
Figure 1 presents the conceptual framework of the study. ISC is dimensionalised as
comprising of management support, policy and procedures, compliance, awareness, budget
and technology. Management support is further divided into information security commitment
and information security importance while policy and procedure is broken down into
information security policy effectiveness and information security directives. The compliance
component has two parts which are information security monitoring perceptions and
information security consequences. The awareness component comprised of information
security responsibility and information security training. The budget components is divided
into information security budget practices and information security investments. The
technology component is segmented into information technology capabilty and information
technology compatibility. As the study is aimed at looking the aspects or components
Assessing the Information Security Culture in a Government Context: The Case of a Developing Country
http://www.iaeme.com/IJCIET/index.asp 99 [email protected]
perceived as important and also the extent to which the component being practiced, the ISC
framework is split into two parts: perceived importance and perceived implmentation.
Figure 1 Conceptual Framework
Information security commitment is defined as the degree to which top management give
full supports and show their involvement towards an organizational initiative on information
security. Information security importance refers to the degree to which top management give
preferences to information security as compared to any other activities. Information security
policy effectivess relates to the appraisal of the information security policy, whether it is
understandable, practical and successfully communicated. Information security directives is
concerned with the clear direction or instruction on the protection of information security
assets from information security incidents such as information security breaches that caused
by unauthorized parties. Information security monitoring compliance refers the perception
regarding monitoring and disciplinary action in relation to information security practices
while information security consequences is defined as the necessary action that need to be
taken in the event of non-compliance to information security policy. Information security
responsibility denotes the person or department responsible for ensuring the compliance of
information security policies. Information security training means the training provided to
employee so as to create awareness and increase their knowledge, skills, and competencies on
information security. Information security budget practice signifies the annual allocation of
budgets for information security activities and the prompt acts towards expenses pertaining to
PERCEIVED IMPLEMENTATION PERCEIVED IMPORTANCE
Management Support
• Information Security Commitment • Information Security Importance
Policy & Procedure
• Information Security Policy Effectiveness • Information Security Directives
Compliance
• Information Security Monitoring Perceptions
• Information Security Consequences
Awareness
• Information Security Responsibility • Information Security Training
Budget
• Information Security Budget Practices • Information Security Investment
Technology
• Information Technology Capability • Information Technology Compatibility
Management Support
• Information Security Commitment • Information Security Importance
Policy & Procedure
• Information Security Policy Effectiveness • Information Security Directives
Compliance
• Information Security Monitoring Perceptions
• Information Security Consequences
Awareness
• Information Security Responsibility • Information Security Training
Budget
• Information Security Budget Practices • Information Security Investment
Technology
• Information Technology Capability • Information Technology Compatibility
Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid
http://www.iaeme.com/IJCIET/index.asp 100 [email protected]
information security activities. Information security investment represents the capital or time
that could be tangible and intangible. Information technology capability represents the ability
to fulfill technical security requirements and assists organizations to fulfill information
security policy requirements. On the other hand, information technology compatibility relates
to the ability of the software and hardware to work together adhering common technology
standards.
3. RESEARCH METHODOLOGY
3.1. Research Paradigm and Approach
In management research, paradigm can be generally divided into positivism and
Interpretivism while approach can be divided into three which are quantitative, qualitative and
mixed method. Research that falls under positivism paradigm is aimed at producing data that
can be statistically analyzed and results that can be expressed numerically. Studies that
employ quantitative approach typically begin with data collection based on a hypothesis or
theory, and the results or the findings are usually objective and reliable since they are based
on large and representative samples (Charumbira, 2013). The present study can be categorized
under positivism paradigm while the approach is quantitative.
3.2. Research Method
As far the research method is concerned, this study used the survey method. According to
Mathiyazhagan & Nandan (2010) survey research is “a method of descriptive research used
for collecting primary data based on verbal or written communication with a representative
sample of individuals or respondents from the target population”. In a survey research design,
the purpose of the study can be divided into exploration, description and hypothesis testing
(Sekaran & Bougie, 2010). This study can be categorized as descriptive study because it was
undertaken to describe the characteristics of the variables of interests.
3.3. Population and Sampling
The population of the study was Information Technology Department of Malaysian Federal
Ministries. At the time of the data collection, the size of the population was 301. Using a
convenient sampling, a total of 295 questionnaires were distributed and 292 were returned and
found useful for further analysis. Convenient sampling is a type of non-probability sampling.
Rowley (2014) asserted that although probability sampling is believed as ideal in research, the
vast majority of studies in social science research actually draw upon non-probability
samples. Bryman & Bell (2015) also stated that in reality, non-probability sampling is more
frequently employed and more likely appropriate in fieldwork research. It is because of this
reason, this study used convenient sampling.
3.4. Data Collection
For collecting the research data, the study used a questionnaire. The items in the questionnaire
were mainly developed by the researcher. Each construct from the conceptual framework uses
four items. As there are altogether 12 construct, the total number of items was 48. For each
item, a Likert scale of five anchoring was used. As for the perceived importance, the
anchoring was between the two extremes of “1 = not important at all” and “5 = extremely
important”. For the perceived implementation, the anchoring was between the two extremes
of “1 = not practice at all” and “5 = highly practice”. The respondents were required to
respond by ticking on these Likert scales. Before the questionnaire was administered to the
targeted respondents, it was first pre-tested and also pilot-tested. Several experts who were
academicians and industry practitioners were engaged in the pre-testing exercise. Comments
Assessing the Information Security Culture in a Government Context: The Case of a Developing Country
http://www.iaeme.com/IJCIET/index.asp 101 [email protected]
and suggestions given by them were used to revise and refine the questionnaire. Thirty
respondents were also engaged in the pilot test. Their responses were used to calculate the
Cronbach‟s alpha, an indicator of a scale‟s reliability. The results showed that the Cronbach‟s
alpha scores for all constructs surpassed the recommended value of 0.7, suggesting that the
instrument used in the study was acceptably reliable.
3.5. Data Analysis
This study performed both descriptive and inferential analysis on the research data.
Descriptive analysis was performed to describe the variables. The statistics reported were
mean, standard deviation, standard error and variance. Inferential analysis was executed to
either examine the relationship between variables or to compare different groups with regard
to certain variables. In this study, a paired sample t-test was used to compare the differences
between the perceived importance and perceived implementation in terms of the constructs of
the ISC framework.
4. FINDINGS
4.1. Demographic Profiles
Out of 292 respondents who participated in this study, 167 or 57.2% were men while the rest
were women (42.8%). In terms of age, the majority of respondents was aged between 36 and
40 (47.9%) while the minority (13%) was reported to be aged between 31 and 35. For the
respondents' education level, 30 or 10.3% indicated to have Master while the remaining 262
or 89.7% have a Bachelor‟s degree.
4.2. Descriptive Analysis
Table 1 presents the descriptive statistics of the information security commitment. The overall
mean for perceived importance is 4.61 while for perceived implementation is 2.01. These
mean values suggest that all the four listed items are indeed important in measuring
information security commitment.
Table 1 Descriptive Statistics of Information Security Commitment
Items
Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev Variance Mean
Std
Error
Std
Dev Variance
Top management that is
committed to information
security policy formulation
4.71 0.033 0.568 0.322 2.23 0.054 0.916 0.839
Top management that is
devoted to ensuring the
success of protecting and
safeguarding organizational
information resources
4.57 0.035 0.591 0.350 1.72 0.058 0.987 0.974
Top management that is
committed to maintaining
organization‟s reputation
4.70 0.033 0.561 0.314 2.34 0.054 0.926 0.858
Top management that is
dedicated to providing
mentoring and training
opportunities regarding
information security
4.47 0.035 0.606 0.367 1.74 0.056 0.959 0.920
Overall mean = 4.61 Overall mean = 2.01
Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid
http://www.iaeme.com/IJCIET/index.asp 102 [email protected]
The highest means score for the perceived importance is for item that reads “Top
management that is committed to information security policy formulation” while the lowest
mean is for item that reads “Top management that is dedicated to providing mentoring and
training opportunities regarding information security”. In terms of perceived implementation,
all mean scores are less than mid-point value implying that the practice of the listed items are
relatively low in the participating organizations.
The overall mean for four items measuring information security importance is 4.57 for the
perceived importance while 2.10 for the perceived implementation. The highest mean score is
the perceived importance is for item that reads “Top management that gives significant
priority for information security policy establishment” followed by item that reads “Top
management that communicate with the employees on the importance of information
security”. As for the perceived implementation, the mean score ranged between 1.63 and 2.38.
All of these values are less than the mid-point value of three, suggesting that the
implementations of the listed items in the participating organizations are quite low. The
lowest mean score for the perceived implementation is for item that reads “Top management
that communicate with the employees on the importance of information security”. The detail
results of the descriptive statistics of information security importance are presented in Table
2. Table 2 Descriptive Statistics of Information Security Importance
Items
Perceived Importance Perceived Implementation
Mean Std
Error Std Dev Variance Mean
Std
Error Std Dev Variance
Top management that gives
significant priority for
information security policy
establishment
4.74 0.032 0.551 0.303 2.37 0.046 0.782 0.611
Top management that gives
significant preferences on
information security
enforcement
4.48 0.035 0.595 0.354 2.38 0.045 0.770 0.593
Top management that reacts
immediately when there is
information security breaches
4.48 0.035 0.595 0.354 2.03 0.058 0.986 0.972
Top management that
communicate with the
employees on the importance
of information security
4.59 0.036 0.606 0.367 1.63 0.055 0.933 0.870
Overall mean = 4.57 Overall mean = 2.10
Four items were developed for measuring the information security policy effectiveness.
Between the perceived importance and perceived implementation, the former recorded a
higher mean value than the later, which is 4.57 as opposed to 2.04 (Table 3). For the
perceived importance, all items scored mean values that are greater than four while for the
perceived implementation, all items scored a mean values less than three. For the perceived
importance, item that reads “The Information security policy that is understandable by all
employees irrespective of their ranks” recorded the highest mean value (i.e. 4.74) while the
lowest mean value (i.e. 4.48) is for item that reads “The information security policy that
regularly reviewed and updated”. The respondents of the study believed that the information
security policy of their organization was not regularly reviewed and updated. This is evident
by the lowest mean value (i.e. 1.65) for the perceived implementation.
Assessing the Information Security Culture in a Government Context: The Case of a Developing Country
http://www.iaeme.com/IJCIET/index.asp 103 [email protected]
Table 3 Descriptive Statistics of Information Security Policy Effectiveness
Items Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev Variance Mean
Std
Error
Std
Dev Variance
The Information security
policy that is understandable
by all employees irrespective
of their ranks
4.74 0.032 0.551 0.303 2.29 0.040 0.689 0.475
The information security
policy that is well
communicated to all
employees irrespective of
their ranks
4.50 0.036 0.612 0.375 2.19 0.045 0.769 0.591
The information security
policy that ensures regulatory
compliance with various
privacy and security laws
4.57 0.035 0.602 0.363 2.01 0.043 0.737 0.543
The information security
policy that regularly reviewed
and updated
4.48 0.036 0.606 0.367 1.65 0.051 0.874 0.763
Overall mean = 4.57 Overall mean = 2.04
The result of the descriptive analysis of the information security policy directives is
shown in Table 4. As for the perceived importance, the highest mean is for item “Clear
directives for the protection of stakeholder‟s information” and followed by “Clear directives
on the handling of information security incidents”. As for the perceived implementation, the
highest mean is for item that reads “Clear directives on the handling of information security
incidents” and followed by “Clear directives on the prevention of information security
breaches”. Overall, between perceived importance and perceived implementation, the mean
difference is 2.76. Respondents in general believed that all of the listed items measuring
information security policy directives were important but not well implemented in their
organizations.
Table 4 Descriptive Statistics of Information Security Policy Directives
Items
Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev
Variance Mean Std
Error
Std
Dev
Variance
Clear directives for the
protection of stakeholder‟s
information
4.71 0.035 0.594 0.353 1.62 0.055 0.944 0.890
Clear directives on the
handling of information
security incidents
4.70 0.034 0.584 0.340 2.18 0.041 0.709 0.502
Clear directives on the
prevention of information
security breaches
4.50 0.037 0.629 0.395 2.01 0.039 0.658 0.433
Clear directives for the
compliance of organization‟s
policy and procedures
4.60 0.035 0.604 0.365 1.68 0.051 0.876 0.768
Overall mean = 4.63 Overall mean = 1.87
To recall, information security monitoring perceptions is defined as the perception
regarding monitoring and disciplinary action in relation to information security practices.
Four items were used to measure this variable and the results of the descriptive analysis are
portrayed in Table 5. As for perceived importance, all items recorded mean values that are
greater than four while for perceived implementation, the overall mean score is 1.91.
Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid
http://www.iaeme.com/IJCIET/index.asp 104 [email protected]
Apparently, all of the listed four items were not well implemented in the participating
organization despite being perceived very important for the development of a solid ISC.
Table 5 Descriptive Statistics of Information Security Monitoring Perceptions
Items Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev
Variance Mean Std
Error
Std
Dev
Variance
Constant monitoring of
information security policy
compliance by all employees
4.74 0.035 0.606 0.367 2.09 0.040 0.680 0.462
Constant assessment
employee‟s key performance
indicators regarding
information security practices
4.34 0.036 0.618 0.382 2.02 0.039 0.663 0.439
Periodic study on the
employee‟s satisfaction
regarding information
security practices
4.35 0.038 0.653 0.426 1.76 0.042 0.720 0.518
Regular surveillance of
employees information
security practices
4.37 0.038 0.648 0.420 1.78 0.033 0.570 0.325
Overall mean = 4.45 Overall mean = 1.91
Based on the result shown in Table 6, it is quite apparent that respondents of the study felt
that making employees accountable for their actions that violated security policy is very
important. In the same light they also felt that it is equally necessary to take corrective actions
where there is a violation of information security policy. The respondents of the study also
indicated that it is important to penalize the employee for refusing to participate in
information security awareness activities and also who refuse to attend any of the information
security training. While all of the listed items measuring information security consequences
were perceived as important, they were however, not well practiced and implemented in the
participating organizations.
Table 6 Descriptive Statistics of Information Security Consequences
Items
Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev Variance Mean
Std
Error
Std
Dev Variance
Making employees
accountable for their actions
that violates security policy
4.38 0.034 0.582 0.339 2.07 0.042 0.717 0.515
Taking corrective action for
non-compliance events
towards information security
policy
4.49 0.036 0.612 0.375 1.83 0.045 0.771 0.594
Penalizing the employee for
refusing to participate in
information security
awareness activities
4.43 0.035 0.602 0.362 1.84 0.037 0.626 0.392
Penalizing the employee for
refusing to attend the
information security training
4.44 0.035 0.597 0.357 1.51 0.044 0.748 0.560
Overall mean = 4.44 Overall mean = 1.81
The overall mean for the perceived importance of information security responsibilities is
4.65, implying that the respondents of the study agreed that the items listed are indeed very
important for creating an ISC. Out of the four items, two items scored a mean of 4.76,
Assessing the Information Security Culture in a Government Context: The Case of a Developing Country
http://www.iaeme.com/IJCIET/index.asp 105 [email protected]
namely, the item that reads “Entrusting the employee with responsibility for the protection of
organizational resources” and “Delegating greater authority to employees regarding
information security practices”. In terms of implementation, the mean scores for the four
items ranged between 1.59 and 2.01 (Table 7). These values suggest that information security
responsibilities are not in place in these participating organizations.
Table 7 Descriptive Statistics of Information Security Responsibilities
Items
Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev Variance Mean
Std
Error
Std
Dev Variance
Entrusting the employee with
responsibility for the
protection of organizational
resources
4.76 0.034 0.582 0.339 2.01 0.035 0.601 0.361
Delegating greater authority
to employees regarding
information security practices
4.76 0.031 0.528 0.279 1.88 0.038 0.650 0.422
Creating specific designation
that oversee information
security practices
4.50 0.036 0.618 0.381 1.84 0.036 0.613 0.376
Involving employee in the
formulation of information
security policy
4.56 0.036 0.615 0.378 1.59 0.042 0.725 0.525
Overall mean = 4.65 Overall mean = 1.83
The importance of information security training in the creation of ISC has been well
established in many studies (Martins & Eloff, 2002; Whitman and Mattord, 2014). The
findings of this study as shown in Table 8 are quite comparable to previous studies. The
means score for the four listed items measuring trainings are well above four. However, in
terms of implementation the mean score for the four items are less than three. The overall
mean for perceived importance is 4.65 while the overall mean for the perceived
implementation is 1.82. The values suggest that huge gap exist between the perceived
importance and perceived implementation.
Table 8 Descriptive Statistics of Information Security Training
Items
Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev Variance Mean
Std
Error
Std
Dev Variance
Making compulsory for all
employees to attend
information security training
4.80 0.029 0.487 0.237 2.09 0.038 0.654 0.428
Making employees to
participate in information
security awareness activities
4.60 0.033 0.557 0.310 2.02 0.040 0.676 0.456
Organizing information
security training and
awareness program
periodically for employees
4.62 0.032 0.552 0.305 1.77 0.043 0.739 0.547
Diversifying the mode of
delivery for information
security training (i.e. online
training, face to face lecture,
etc)
4.58 0.033 0.565 0.320 1.40 0.037 0.637 0.405
Overall mean = 4.65 Overall mean = 1.82
Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid
http://www.iaeme.com/IJCIET/index.asp 106 [email protected]
In terms of information security budget practices, the respondents of the study indicated
that allocating annual budget for information security spending and cost is equally important
to allocating annual budget for information security activities. In the same light they also
indicated that allocating annual budget for maintaining information security technologies is
also important. Unfortunately, when it comes to implementation, it is still not in place. The
overall mean for perceived implementation is 1.97, suggesting that much effort is needed in
order to make these organizations allocate appropriate budget for information security (Table
9).
Table 9 Descriptive Statistics of Information Security Budget Practices
Items
Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev Variance Mean
Std
Error
Std
Dev Variance
Allocating annual budget for
information security
spending and cost
4.73 0.033 0.579 0.335 2.10 0.037 0.637 0.406
Allocating annual budget for
information security
activities
4.39 0.035 0.597 0.356 1.98 0.040 0.678 0.460
Allocating annual budget for
maintaining information
security technologies
4.46 0.035 0.605 0.366 1.84 0.041 0.700 0.491
Overall mean = 4.53 Overall mean = 1.97
Table 10 depicts the descriptive statistics of information security investment. Three items
being used and the item that reads “Investing significantly on information security resources”
scored the highest mean for perceived implementation. The overall mean for perceived
implementation is 4.56 as compared to 1.82 for perceived implementation. The item that reads
“Investing human resources to produce expert in information security” has the lowest mean
score for perceived implementation, suggesting that these participating organizations fall short
of experts in information security.
Table 10 Descriptive Statistics of Information Security Investment
Items
Perceived Importance Perceived Implementation
Mean Std
Error
Std
Dev Variance Mean
Std
Error
Std
Dev Variance
Investing significantly on
information security
resources
4.80 0.029 0.492 0.242 2.13 0.041 0.704 0.496
Investing significantly on
information security training 4.38 0.034 0.588 0.346 1.86 0.035 0.598 0.357
Investing human resources to
produce expert in information
security
4.49 0.035 0.589 0.347 1.46 0.040 0.690 0.476
Overall mean = 4.56 Overall mean = 1.82
Three items measuring information technology capability are presented In Table 11. Item
that reads “Technological capability that is benchmarked against best practices in the
industry” scored the highest mean value for the perceived importance. This is followed by
item that reads “Technological capability that increases employees‟ performance towards
compliance of policies”. The overall mean for perceived importance is 4.56 as compared to
2.09 for the perceived implementation. Item that reads “Information security technology that
is flexible and expandable” scored the lowest mean for the perceived capability.
Assessing the Information Security Culture in a Government Context: The Case of a Developing Country
http://www.iaeme.com/IJCIET/index.asp 107 [email protected]
Table 11 Descriptive Statistics of Information Technology Capability
Items
Perceived Importance Perceived Implementation
Mean Std
Error Std Dev Variance Mean
Std
Error Std Dev Variance
Technological capability that is
benchmarked against best
practices in the industry
4.72 0.033 0.558 0.311 2.21 0.043 0.727 0.528
Technological capability that
increases employees‟
performance towards
compliance of policies
4.48 0.036 0.617 0.381 2.15 0.041 0.699 0.488
Information security
technology that is flexible and
expandable
4.47 0.035 0.594 0.353 1.91 0.037 0.636 0.404
Overall mean = 4.56 Overall mean = 2.09
Table 12 showcases the results of the descriptive analysis of information technology
compatibility. Between perceived importance and perceived implementation, the overall mean
score is higher for the former compared to the later. As for the perceived importance, the
respondents of the study had apparently rated the three items well above the mid-point values.
In contrast, the mean scores for the three items were less than 2.00 for the perceived
implementation. The results simply suggest that despite the perception that information
technology is important for establishing ISC, its implementation is still not in place.
Table 12 Descriptive Statistics of Information Technology Compatibility
Items
Perceived Importance Perceived Implementation
Mean Std
Error Std Dev Variance Mean
Std
Error Std Dev Variance
Information security
technology that is compatible
with the organizational
standard operating procedure
4.82 0.026 0.447 0.199 1.60 0.056 0.952 0.907
Information security
technologies that is compatible
with employees‟ work design
4.73 0.030 0.515 0.265 1.94 0.040 0.686 0.470
Information security
technology that reduce the
risks of information security
breaches
4.74 0.030 0.513 0.264 1.59 0.049 0.839 0.704
Overall mean = 4.76 Overall mean = 1.71
Table 13 Paired Samples Statistic
Variable Mean Std Dev Std
Error
t df Sig
IS Commitment 2.60 0.945 0.055 47.049 291 0.000
IS Importance 2.47 0.862 0.051 49.041 291 0.000
IS Policy Effectiveness 2.54 0.748 0.044 58.014 291 0.000
IS Directives 2.75 0.784 0.046 60.054 291 0.000
IS Monitoring Perception 2.53 0.684 0.040 63.338 291 0.000
IS Consequences 2.62 0.716 0.042 62.560 291 0.000
IS Responsibility 2.82 0.665 0.039 72.427 291 0.000
IS Training 2.83 0.587 0.034 82.366 291 0.000
IS Budget Practice 2.56 0.665 0.039 65.623 291 0.000
IS Investment 2.74 0.636 0.037 73.671 291 0.000
IS Technology Capability 2.47 0.737 0.043 57.166 291 0.000
IS Technology Compatibility 3.05 0.822 0.048 63.472 291 0.000
Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid
http://www.iaeme.com/IJCIET/index.asp 108 [email protected]
Table 13 presents the results of the paired sample t-test between perceived importance and
perceived implementation. The p-values for all variables are less than 0.05 indicating that the
difference between perceived importance and perceived implementation is significant. As
already discussed in previous sections, the mean score of perceived importance is far greater
compared to perceived implementation.
5. DISCUSSION
The requirements and the characteristics of ISC differ from one organization to other
organization (Masrek, 2017). The finding of this study has shown that in the context of public
organizations, management support, policy and procedures, compliance, awareness, budget
and technology are the important elements for developing ISC. However, the finding also
showed that these elements were not appropriately in place. ISC starts from the top
management. Hone & Eloff (2002) stated that if the top management do really understand the
need of information security in organization, they will put efforts into enforcing it and
employees will be more involved Apparently, the findings of this study suggest that top
management is not engaged, or perhaps not at all familiar with concept of information
security. Martin & Eloff (2002) asserted that management needs to model the correct
behaviour since it will become accepted as the way in which things are done and will be the
reference for employee behaviour, which will later develop in a certain culture into the
organizations.
Da Veiga (2015) pointed out that the information security policy is a critical success
factor for the establishment of an ISC in an organisation. Information security policy is a
written, living document outlining the actions and procedures that employees should follow in
order to protect an organization‟s information security assets (Siponen & Iivari, 2006).
Latham (2013) stated that, in order to make sure that the organization information security
policy is useful, policy documents must be developed that fit the organization culture. Despite
the importance of information security policy, it is still not widely practiced in the
participating organizations.
Antoniou (2015) stated that if employees do not comply with an information security
policy, the safety of the organization‟s information assets may be compromised. Perhaps, that
is why Puhakainen & Siponen (2010) stressed that the issue of employee compliance to
information security policy is one of the greatest risks to the safety of an organization‟s
information assets. Herath & Rao (2009) explained that an information security policy that are
complicated and varied could be the reason why employee refused to comply. Some
employees also feel that complying to information security is too time-consuming, pointless
or complex (Antoniou, 2015). This situation necessitates the need to have continuous
monitoring (Xiao-yan, Yu-quing, & Li-Leia, 2011). As presented in the findings section, the
respondents acknowledged the importance of compliance but in the context of their
organization, they admitted that these have yet to be successfully implemented.
The ISO17799 (ISO 2005) standard states that „„providing appropriate training, education
and awareness‟‟ is critical to the successful implementation of information security. This is
because the effectiveness of information security controls depends on the people who are
implementing and using it (Martins & Eloff, 2002). Hence, through awareness and training,
the employees will be equipped with the necessary skills and knowledge of information
security. Whitman and Mattord (2014) suggested that training for users should be customized,
depending on the functional background and this method include training for general users,
training for managerial users, and training for technical users. Almost consistent to Connolly,
Assessing the Information Security Culture in a Government Context: The Case of a Developing Country
http://www.iaeme.com/IJCIET/index.asp 109 [email protected]
Lang & Tygar (2014), this study found that awareness and training is either not provided or
poorly organized.
Having a sufficient budget is a crucial aspect to the implementation of information
security (Dinnie,1999). Bjorck (2001) defined budget as a financial facility that can estimate
the costs and evaluate the access needed to the resources to accomplish successful
implementation of information security. Security budget can include (i) technical cost, both
hardware and software such as antivirus and firewalls and (ii) education which covers
trainers, contents and learning platforms. Beebe, Young & Chang (2014) noted that “top-level
management consider information security investment requests amid competing funding
requests across their organizations and they often have to make trade-off decisions amidst
limited budgets”. Their study concluded that organizations are typically inclined to take more
risks than to invest in information security to prevent loss-based consequences (Beebe, Young
& Chang, 2014). Similar to the findings of Beebe, Young & Chang (2014), this study also
discovered that the participating organizations did not have appropriate budget allocations for
information security.
IT capability can be defined “as the ability of firm to selects, accepts, configures and
implements IT” (Turulja & Bajgorićwhile, 2016) while IT compatibility is the degree of
perceived ease of use for IT software when integrates with related IT facilities, work culture,
values, and organizational practices (Ghobakhloo et al., 2012). According to Shrivastava
(2016) “in order to reap maximum benefits from any IT investments, the IT infrastructure
must be optimized, benchmarked and its value to business quantifiable and that is why
security plays an important role during the optimization process”. Skopik, Settanni & Fiedler
(2016) stated that IT compatibility, both hardware and software are crucial in information
security implementation. Alkasasbeh (2014) study showed that there was direct relationship
between effect of IT capabilities and implementation of security information management
systems in Jordanian banks. The finding of this study indicates that the technology
components, namely capability and compatibility are not well addressed in the development
of ISC.
6. CONCLUSIONS
The conduct of this study has been to identify the components perceived as important for
developing ISC in the context of Malaysian public organization and to identify the state of
practice in relation to the components of ISC perceived as important. In addition, the aim of
the study is to examine the gap between perceived importance and perceived implementation
in terms of the ISC components. The results of the study have shown management support,
policy and procedures, compliance, awareness, budget and technology are important in
developing ISC. However, all of these components are not in place in these participating
organizations. The findings also indicate that the gap between the ideal level and the current
state of implementation in terms of ISC components is very large and significant.
This study has shown that in order to develop and ISC, practitioners have to focus on the
following factors: management support, policy and procedures, compliance, awareness,
budget and technology. As for the participating organizations, much effort needs to be done to
address the lack of the aforementioned factors. The top management may need to attend
various workshops or seminars on information security so as to increase their awareness and
understanding on the need and the importance of developing ISC. Probably, after having the
right understanding, the top management will start to initiate planning and strategies geared
towards the development of ISC. In addition, they will also start looking into developing
Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid
http://www.iaeme.com/IJCIET/index.asp 110 [email protected]
information security policy into their organizations and allocate appropriate budget for
training and awareness activities for the employee.
Just like any other studies, this study is also flawed with several limitations. The first is
related to the time horizon of the data collection. As this is a cross sectional study, the
accuracy of the data may not be as precise if the data were to be collected in a longitudinal
setting. Secondly, the unit of analysis was organization where only one representative of the
organization was engaged to provide the data. For a study focusing on culture, multi
respondents for any given organization would be a better choice as their responses would be
aggregated and that will provide a more accurate answer.
ACKNOWLEDGEMENT
The researcher would like to extend our thanks and appreciation to Universiti Teknologi
MARA (UiTM) and the Ministry of Higher Education (MoHE) Malaysia for funding the
project under the Fundamental Research Grant Scheme, file no:
FRGS/1/2016/SS09/UITM/02/2.
REFERENCES
[1] AlHogail, A, and Mirza, A. (2015). Organizational Information Security Culture
Assessment. Proceedings of the International Conference on Information Security and
Management SAM2015. 286-292.
[2] Alkasabeh, A.A. (2014). The Effect of Information Technology Capabilities in
Implementing Information Security Management Systems. European Scientific Journal,
10(18), 377-385.
[3] Anderson, J. (2003). Why we need a new definition of information security. Computers
and Security, 22(4), 308-313.
[4] Antoniou, G.S. (2015). Designing an effective information security policy for exceptional
situations in an organization: An experimental study. Doctoral dissertation. Nova
Southeastern University. Retrieved from NSUWorks, College of Engineering and
Computing. (949) http://nsuworks.nova.edu/gscis_etd/949.
[5] Beebe, N.L., Young, D.K. and Chang, N.R. (2014). Framing Information Security Budget
Requests to Influence Investment Decisions. Communications of the Association for
Information Systems, 35(7). 133-143.
[6] Björck F. (2001) Implementing Information Security Management Systems. In: Eloff
J.H.P., Labuschagne L., von Solms R., Dhillon G. (eds) Advances in Information
Security Management & Small Systems Security. IFIP International Federation for
Information Processing, vol 72. Springer, Boston, MA.
[7] Brown, A. (1998). Organisational Culture. (2nd
ed). London: Pitman Publishing.
[8] Bryman, A., & Bell, E. (2015). Business research methods (4th ed.). United Kingdom:
OUP Oxford.
[9] Charumbira, L.T. (2013). The Philosophical and Methodological Approaches Used by
Sport and Business Management Student Researchers in Zimbabwe. Global Journal of
Commerce and Management Perspectives, 2(6), 51-56.
[10] Connolly, L., Lang, M. and Tygar, D. (2014). Managing Employee Security Behaviour in
Organisations: The Role of Cultural Factors and Individual Values. Proceedings of 29th
IFIP International Information Security Conference (SEC), Jun 2014, Marrakech,
Morocco.
Assessing the Information Security Culture in a Government Context: The Case of a Developing Country
http://www.iaeme.com/IJCIET/index.asp 111 [email protected]
[11] Da Veiga, A. (2015). The Influence of Information Security Policies on Information
Security Culture: Illustrated through a Case Study. Proceedings of the Ninth International
Symposium on Human Aspects of Information Security & Assurance (HAISA 2015).
[12] Da Veiga, A. and Eloff, J.H. (2010). A Framework and Assessment Instrument For
Information Security Culture, Computers & Security, 29(2), 196-207.
[13] Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. Danvers:
John Wiley & Sons.
[14] Dinnie, G. (1999). The Second Annual Global Information Security Survey. Information
Management & Computer security, 7(3), 112-120.
[15] Eloff, M. M., & Von Solms, S. H. (2000). Information security management: An approach
to combine process certification and product evaluation. Computers & Security, 19(8),
698–709.
[16] Ghobakhloo, M, Hong, T., Sabouri, M., and Zulkifli, N. (2012). Strategies for Successful
Information Technology Adoption in Small and Medium-Sized Enterprises.
Information, 3, 36-67.
[17] Herath, T., and Rao, H. R. (2009). Encouraging Information Security Behaviors in
Organizations: Role of Penalties, Pressures and Perceived Effectiveness. Decision Support
Systems, 47(2), 154-165.
[18] Hone, K. & Eloff, J. (2002). What Makes an Effective Information Security Policy?
Network Security, 2(6), 14-16.
[19] ISO. 2005. Information technology. Security techniques. Code of practice for information
security management. ISO/IEC 17799 (BS 7799 1: 2005).
[20] IT Governance Institute (2001). Information Security Governance: Guidance for Board of
Directors and Executive Management, Information Systems Audit and Control Foundation
(ISACF).
[21] Latham, R. (2013) Information Management Advice 35: Implementing Information
Security. Retrieved 4 August 2018, from:
https://www.informationstrategy.tas.gov.au/Records-Management-
Principles/Document%20Library%20%20Tools/Advice%2035%20Implementing%20Info
rmation%20Security%20Part%204%20-%20IS%20Policy.pdf
[22] Martins, A. and Eloff, J. (2002). Information security culture. In Security in the
information society, Boston: Kluwer Academic Publishers, 203–214.
[23] Martins, N. and Da Veiga, A. (2015). An Information Security Culture Model Validated
with Structural Equation Modelling. Proceedings of the Ninth International Symposium
on Human Aspects of Information Security & Assurance (HAISA 2015).
[24] Masrek, M.N. (2017). Assessing Information Security Culture: The Case of Malaysia
Public Organization. Proceeding of 2017 4th International Conference on Information
Technology, Computer, and Electrical Engineering (ICITACEE), Oct 18-19, 2017,
Semarang, Indonesia.
[25] Mathiyazhagan, T. and Nandan, D. (2010). Survey Research Method. Media Mimansa,
National Institute of Family & Welfare, July-September 2010, New Delhi.
[26] Nieles, M., Dempsey, K. and Pillitteri, V.Y. (2017). An Introduction to Information
Security. NIST Special Publication 800-12 (Revision 1). National Institute of Standard
and Technology (NIST). Available Online https://doi.org/10.6028/NIST.SP.800-12r1
[27] Peltier, T.R., Peltier, J. and Blackley, J. (2005). Information Security Fundamentals. Boca
Raton, Florida: Auerbach Publications.
[28] Ponemon Institute (2017a). 2017 Cost of Data Breach Study. Global Overview.
Mohamad Noorman Masrek, Qamarul Nazrin Harun and Noor Zaidi Sahid
http://www.iaeme.com/IJCIET/index.asp 112 [email protected]
[29] Ponemon Institute (2017b). 2017 State of Cybersecurity in Small & Medium-Sized
Businesses (SMB).
[30] Puhakainen, P., and Siponen, M. (2010). Improving employees' compliance through
information systems security training: An action research study. MIS Quarterly, 34(4),
757-778.
[31] Rastogi, R., & von Solms, R., (2012). Information security service culture - information
security for end-users. Journal of Universal Computer Science, 18(12), 1628-1642.
[32] Rowley, J. (2014). Designing and using research questionnaires. Management Research
Review, 37(3), 308-330.
[33] Schein, E. H. (1999). The Corporate Culture Survival Guide. Jossey-Bass Inc.
[34] Schlienger, T. and Teufel, S. (2003). Information security culture-from analysis to change.
South African Computer Journal, 31, 46-52.
[35] Sekaran, U. and Bougie, R. (2010). Research Methods for Business: A Skill Building
Approach (5th ed). West Sussesx: John Wiley & Sons.
[36] Shrivastava, A.K. (2016). The Impact Assessment of IT Infrastructure on Information
Security: A Survey Report. Procedia Computer Science, 78, 314-322.
[37] Siponen, M., and Iivari, J. (2006). Six design theories for IS security policies and
guidelines. Journal of the Association for Information Systems,7(7), 445-472.
[38] Skopik, F., Settanni, G., & Fiedler, R. (2016). A problem shared is a problem halved: A
Survey on The Dimensions of Collective Cyber Defense Through Security Information
Sharing. Computers & Security, 60, 154-176.
[39] Tan, R. and Nair, S. (2017, October 31). Malaysia Sees Biggest Mobile Data Breach. The
Star. Retrieved from https://www.thestar.com.my/news/nation/2017/10/31/msia-sees-
biggest-mobile-data-breach-over-46-million-subscribed-numbers-at-risk-from-scam-
attacks-an/
[40] Tolah, A. Furnell, S.M. and Papadaki (2017). A Comprehensive Framework for
Cultivating and Assessing Information Security Culture. Proceedings of the Eleventh
International Symposium on Human Aspects of Information Security & Assurance
(HAISA 2017).
[41] Turulja, L. and Bajgorić, N. (2016) Innovation and Information Technology Capability as
Antecedents of Firms‟ Success. Interdisciplinary Description of Complex Systems 14(2),
148-156.
[42] Von Solms, B. (2000). Information security - the third wave? Computers & Security,
19(7), 615–620.
[43] Whitman, M. & Mattord, H. (2014). Management of information security. Boston: Course
Technology Cengage Learning.
[44] Xiao-yan, G., Yu-quing, Y., & Li-Leia, L. (2011). An Information Security Maturity
Evaluation Mode. Procedia Engineering, 24(1), 335 – 339.